Last updated: May 21, 2026 · TEMPLATE — review with legal counsel before going live
When you create an account we store your email address, display name, and authentication credentials (hashed). When you use the vault we store the cards, boxes, and sets you add — including any images you upload.
Your data is used only to operate the service for you. We do not sell personal data and we do not share your collection with anyone unless you explicitly create a public share link.
Every account's collection is isolated at the database level using row-level security. No other user can read or modify your data. Administrators may access account metadata for support and abuse-prevention purposes.
Data is stored on managed cloud infrastructure (Supabase / Lovable Cloud). Images are stored in a private bucket and served via signed URLs when needed.
We use first-party cookies and local storage solely for authentication session persistence. No third-party tracking cookies are set.
You may export or delete your account at any time. Email support to request account deletion; all of your data will be removed within 30 days.
Questions about this policy: see the contact page.